Dear Perpass WG, Several have expressed valid concerns regarding abuse of encrypted email. While CAs may not be trustworthy, it seems DANE offers a workable and reasonably transparent alternative to protect against undetected tampering. In addition, DANE reduces incremental costs associated with certificates which should prove beneficial for email use.
That said, proprietary schemes are available permitting multiple decoding keys derived from conveyed indexes. The derived keys are assigned to outbound message scanners used by enterprises to ensure governmental data compliance requirements while also ensuring the integrity of the entire path traversed. If there is interest, I could prevail on my employer to disclose IPR terms and details. Secondly, while web based TLS exchanges normally ignore client certificates, this would not be desirable for StartTLS related to open email exchanges. Currently, only source IP addresses are effectively used to defend SMTP servers. DKIM does not offer a suitable replacement because it fails to capture who initiated the exchange, and to whom it was being sent. In other words, DKIM lacks essential elements needed to properly identify those accountable for email abuse. IPv6 will significantly challenge the use of source IP addresses. While the number of legitimate addresses may represent a reasonable number, most of email is sourced from compromised systems likely using privacy extensions. Just a bit map tracking whether a /64 prefix is active requires 5,650 Terra-bytes to cover just the announced /64 prefix space. At any point in time, a bit more than 100 million registered domains are active that collapses down to subdomains below the registrar. This relatively small number is fairly manageable compared against IP addresses, even when attempting to just white-list new MTAs. A domain based approach may seem fairly disruptive, but even the best content scanners fail to provide full detections while demanding significant resources. Content based acceptance is not cost effective as the first stage in a vetting process. One hundred thousand domains control 90% of the Internet traffic. The top 150 domains control 50%, and the top 2,500 domains control 75%. Secure SMTP using DNS-Based Authentication of Named Entities (DANE) TLSA records and SMTP security via opportunistic DANE TLS offer interesting starting points. For this to work well, a more disruptive approach is required where sending domains should be encouraged to use their own certificates. The initial availability of TSLA RRs should not miss the opportunity to use this to signal a new paradigm of expectations. Regards. Douglas Otis
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
